So far so lease-like.

But SaaS is different from software lease models because the software itself is hosted by the supplier, with users accessing it through the ‘cloud’ ie the internet.

There is a tendency for companies and organisations to assume that compliance will not be a problem because usage is monitored and controlled by the vendor…  however the reasoning behind this complacency is fundamentally flawed, and a lot of organisations will find they come unstuck with SaaS contracts unless they have bullet proof processes for granting and managing access to SaaS applications.

“Fundamentally flawed” is a pretty big claim to make. Why do I go out on a limb with this?

Because a simple analysis of the incentives for SaaS vendors shows clearly that it is in their interest to make it as easy as possible for organisations to allow access to as many users as possible, thus maximising revenues. Some SaaS vendors may provide a service that allows access to x users and prevents an account being created for the next user until the contract has been extended, but it is far more likely that vendors will allow accounts to be created with very few restrictions, aware that every account created not only brings in an additional revenue stream, but also embeds the software more and more deeply within the organisation.

At first reading, I may sound like I’m implying that the SaaS vendors are taking unfair advantage of companies to maximise their revenue. In reality, I’m not, because if an organisation finds a piece of software so valuable that large numbers of people need and wish to use it, then it’s a positive thing that access to the software is as quick and easy as possible.

I actually believe very strongly (and only partly so that I stay in a job!!) that the onus of managing accounts and how they are used should rest squarely with the customer rather than the vendor (unless that is a service the customer has outsourced to the vendor or other service provider) – and that means good administration surrounding the granting and managing of access rights for end users.

As SaaS spreads, compliance audits with their spectre of massive unbudgeted costs are likely to become less and less common. However, the need for flexibility of access to SaaS coupled with the natural inclination of providers to make end user access as easy as possible will mean that customers could easily find themselves regularly going out of compliance in terms of the numbers of users and what they are using. The non-compliance will be discovered when the monthly or annual bill arrives, but it could still come as a nasty shock.

Managing demand, managing access and predicting future use will all be key in ensuring customers don’t go out of compliance and maximise their leverage when negotiating with SaaS vendors.

See here for a the low-down on the new rules and their implications.

It’s a relief, as many companies will still wish to install Windows XP even though the new machines they purchase have Windows 7 as the OEM.

Why?

Because upgrading an operating system, particularly for large organisations which use many sophisticated applications, is a very tricky business, although it can be summed up into three words:

Testing > Deployment > Training

You need to test each and every application to make sure it works just as well on the new operating system as it did on the old.

Once that job has been completed, Windows 7 will need to be deployed - the machines will need to be completely wiped (pity users who save to their desktop rather than to a network!), the new operating system installed and then every single application installed over the top of it. It’s a huge job, very resource intensive for IT departments, and very disruptive for users.

At the same time as the deployment is being completed, or perhaps a little before, each user needs to be trained on the new operating system.

It’s a complex process and will need to be planned carefully. It’s also been so long since the last desktop OS upgrade that it will be the first time for many IT managers.

I am sure many organisations out there have breathed a sigh of relief, just as I did, knowing that they won’t be required to spend a significant sum of money purchasing SA on their OSs just to give themselves breathing space to complete the upgrades.

8 miles long... can you see it snaking off into the distance?

I had a great discussion about Windows 7 today. Two things were immediately obvious. One is a little scary, but the other is pretty exciting (for geekettes like me, at any rate).

The scary thing is that for those XP houses that don’t have Software Assurance on their desktop Operating System licenses, options are starting to narrow. It seems that MS will no longer sell downgraded XP OEMs after October (I believe) so organisations will only be able to purchase Windows 7 or Vista.

On the other hand, if you do not purchase Software Assurance on your desktops, you will not be able to downgrade the Windows 7 OS on new machines once either a) Windows 7 SP1 is released; or b) 18 months after the release of Windows 7.

And the even scarier thing is that Windows 7 SP1 is in beta, which means it could be released at any time, although it is still likely a few months away.

More research is definitely in order!

The exciting part of the discussion revolved around the sorts of things organisations need to do to successfully plan and action the migration to Windows 7. These are things such as:

• Hardware analysis – making sure our hardware is capable of running Windows 7
• Applications analysis – who is using what applications, where and why
• Making sure we have all the licenses, serial numbers, keys etc that we need to reinstall the applications on the upgraded machines
• Testing the applications to make sure they work on Windows 7 and won’t conflict with either the OS or with each other
• Packaging the applications so they can be installed efficiently
• Understanding application and support roadmaps – when will software publishers stop supporting installs on XP? When will they start supporting installs on Windows 7? What support will they be able to provide us during the testing and re-install of applications in case things go pear shaped?

It’s pretty obvious from the list above that ITAM has a lot to offer in this process, and if we’re smart, we’ll find we can leverage a lot of activities to cleanse our data, rationalise the estate and gain control where we may not previously have had it.

ITAM and the desktop technology guys will really need to work together over the next few years to make sure Windows 7 migrations run smoothly and efficiently.

Where to begin? A good place is the beginning, I guess. Which for most people is when they join a company or organisation. We need to have processes in place to ensure that new joiners get the hardware and software they need, in a timely manner, so they can begin working in their new job on day one.

At the other end of the lifespan, we have departures, and in the middle we have moves. Each one of these events will need processes in place to make sure we don’t lose equipment and data, and ensure that we reuse as much equipment and as many licenses as possible. Mover’s processes will need to be a combination of the ‘new joiners’ processes (to make sure people are productive in their new job asap) and the leaver’s processes (to make sure we release licenses they no longer need).

Equipment also has a beginning, a lifespan and an end, so we need to have processes which manage the procurement, track the use and ensure correct disposal.

Ditto for software, although software also needs upgrade processes to ensure it is upgraded when appropriate, and kept patched so it doesn’t cause any information security problems.

We need to decide what we’re going to buy, and when, and who is going to be allowed to use it – and that applies to both hardware and software – and we need to have processes in place which ensure these decisions are made in an appropriate way and by an appropriate group of people.

Of course IT Asset Managers can’t be responsible for all this on our own, but we do need to be involved in most of these processes in order for them to work properly, and we will almost certainly have ownership of some of them.

I think that’s enough processes for the moment…

Whereas most of the posts in this blog so far have been me telling everyone what I know, this series is going to be more about the development of my thinking on what processes to implement and how to ensure that they work well.

I guess the first question to answer is what are CSFs and KPIs, and why would I want to place them so firmly in the foreground of a discussion of SAM processes.

Critical Success Factors

I’ve spent several minutes googling for a definition of CSFs, and this definition from the Critical Success Factors page at Mind Tools was the best I came across.

CSFs are the essential areas of activity that must be performed well if you are to achieve the mission, objectives or goals for your business or project.

But, in our case, replace ‘business or project’ with processes.

In the context of SAM, I think CSFs will be a useful tool for helping us identify potential ‘blocks’ that will reduce the effectiveness of our processes. They will also help us identify, in a way which can be clearly expressed to management, the areas of support we will need and the things we will need to change in order to implement effective SAM.

Key Performance Indicators (KPIs)

Key Performance Indicators measure progress towards the goals of the process. The most important thing about a KPI is that it’s measurable. Most management theorists would say they need to be ‘SMART. In the case of KPIs, this means they must be specific (we must be able to specify exactly what is being measured), measurable (that is, quantifiable), achievable (we must be able to obtain the relevant data), relevant (the data must be related to what we are trying to measure), and timely (we must be able to obtain the relevant data before it is out of date).

Why use CSFs and KPIs?

These two tools are a popular management technique, and both are specifically referenced in ITIL. As this is an ITIL oriented blog, it makes sense to use them when thinking about our processes. Additionally, both techniques are effective at helping us understand, quantify and communicate the status of our processes and what needs to be done to improve them.

ITIL says that KPIs should measure CPIs, but my reading on the subject says that this isn’t strictly necessary, so perhaps one of my goals over the next few posts might be to see whether this is always, or even generally, the case.

But what about goals?

Reading back through what I’ve just written, I’ve noticed that both CSFs and KPIs should specifically reflect the goals of the process – which means that when talking about individual processes I should be careful to explicitly define exactly what the process is trying to achieve.

So the discussion of each specific process will probably look something like this:

1. Process Title
2. What the process is trying to achieve
3. A brief description of the process flow
4. Identifying what we need to have in place in order for the process to be effective (the CSFs)
5. Identifying what we need to measure in order to be certain the processes are working properly (KPIs)

Next week…. what are the major SAM related processes that we should be discussing?

SIM Cards

SIM Cards hold the circuitry that provide the physical and electronic link between the telephone and the physical device. Not long ago, they were quite expensive and it could be difficult to reprogramme them so they were connected to a different phone number. These days, however, it is possible to programme them remotely (which means the telephone number they connect to can be changed almost instantaneously) and they are literally cheap as chips. Unless there is some specific network related reason to track SIM cards, don’t bother…. it is definitely not worth the effort for such flexible, changeable pieces of electronics.

Email or other data address

In most circumstances there is no need to track or manage the relationship between the person, the email address and the physical device because if this relationship breaks down, the device will stop working and the user will complain. For telemetry systems, that is those systems that track the location of vehicles, for instance, the users and administrators may not be aware if there is a mis-match between the device and the vehicle it is located in. In these situations the data address will need to be managed more closely, with regular exception reporting to identify if there are any problems, for instance checking driver schedules against vehicle assignment against detected locations.

Applications

The advent of sophisticated applications for mobile devices is a further reminder of just how powerful these physically tiny computers have become.  The use of applications on mobile devices will pose all the same management issues as ordinary software does on normal computers, with the added complication that there will be a huge amount of political pressure to allow users to purchase their own applications (what impact will that have on the organisation from a SAM compliance point of view?) as well as move them from device to device as they upgrade, and finally take the applications with them when they leave the organisation. The management challenges will be fascinating!

I wish I could say that these last points are my own ideas, but they’re not, and I must thank Ian Preskitt of Bytes Software Services for his ideas on the challenges of managing mobile applications in large organisations.

Contracts

Many organisations still find that their telecoms providers expect them to operate their mobile devices on a similar contract model that is used to manage personal mobile device connections.

What a pain! Contracts are bad enough when it comes to personal mobile connections, let alone in a corporate environment where there is constant change. My advice is to negotiate a move away from a contract model to a more straightforward service model where connections and disconnections can be established for a little or no fee, and with a limited notice period (one month is reasonable). Physical device subsidies can still be provided in whatever format suits the telecoms provider.

The advantages to both parties are mainly in the form of reduced administration, but they are very real.

If you find you can’t negotiate a move away from a contract based connection regime, or are locked into one for the next few years, you will need to pro-actively manage them.

The temptation is to treat them as the foundation for the management of all the other elements of a mobile device, but the reality is that contracts are one of the more volatile management elements, and should be managed as such. So my advice is to keep the phone number-person nexus constant, and assign contracts to people in much the same way as you assign devices. If someone leaves the organisation but there is still time to run on the contract, ask your telecoms provider to assign it to a new person, but make sure they get a new telephone number too.

Impossible (!) you say – the telephone number follows the contract…. no! If your telecoms provider tells you that, they are lying! Think about it – the telephone number long outlives contracts – people will often be given a new contract (perhaps in order to secure a subsidy for an upgraded device) but they aren’t asked to change their number, are they!

Always question what your telecoms provider says is and isn’t possible, and don’t be afraid to investigate alternative providers. If you do the research, you will find that the cost of administering contracts is actually very high, so factor that in when you’re evaluating suppliers.

Mobile Device Bills

For large organisations, ensuring that users have visibility of the discretionary parts of their bills (ie the phone calls, roaming charges etc) can be a real challenge. You will find that each telecoms provider will have a system in place which allows users online access to view and approve bills, but they tend to be very command and control, with complicated logins and heavy password protection which is a strong disincentive to users to actually log in and check their bills unless they are forced to. However, each vendor has a different system, and for organisations with several mobile device suppliers making sure that users take a look at their bills can be a real problem.

The good thing about these systems is that most provide users the opportunity to specify which calls were personal and which were for business, which can be important from a taxation point of view.

Unfortunately there aren’t many tools on the market which are designed to allow users to see their mobile device bills quickly and easily, and which will work across different telecoms vendors. If anyone knows of any, please let me know!

http://www.absolute.com/resource_center/webcasts/gartner2010?aa=true

This post will look at options for managing the physical device and the telephone number.

Physical Device

The Risks

As I discussed in my previous post, the physical device presents us with two types of risks that we need to manage. The key area to be aware of is that these devices pose a data security risk. Not only do they have lots of possibly company confidential emails on them, they may also have an extremely valuable list of company contacts which could lead to the poaching of leads, as well as embarrassment or worse if a client is contacted inappropriately.

The second risk posed by the physical device is a financial one. Although they are relatively cheap compared to a laptop, say, they do cost money. Additionally, because mobile telephony vendors often subsidise the cost of the physical device, replacing a lost or stolen device can incur additional expense over the original purchase price.

Mobile devices are in essence small computers. Like a normal laptop or desktop they have an operating system which can have applications installed on top of them. In the fast-paced world of mobile devices (and no I’m not being facetious!) operating systems are frequently updated in order to ensure that telecoms providers are able to offer the latest and greatest features and maintain market share in what is a very competitive market. In order to minimise support costs, this means that operating systems go through very fast lifecycles, and it’s not uncommon to find that perfectly operational devices can no longer be supported because the Telecoms provides have ceased to support the operating system.

All of these considerations mean that we need to manage mobile devices throughout their lifecycle in the same way as we manage other IT equipment.

To tag or not to tag? That is the question…

Industry good-practice is to asset tag all actively managed equipment, and some organisations do in fact asset tag their mobile devices, using the unique EMEI number as a serial number. If you do this, please don’t follow the practice of one organisation I worked in where they put the asset tag on the back cover. When the device was swapped out (for instance if it was sent to the manufacturer under warranty) the mobile device administrator would just swap over the covers! She found the administrative burden of asset tagging such short lived assets was just too high and implemented this (not very effective) work-around to reduce the problem.

Other organisations sympathise with my ex-colleague and resolve the conundrum by not tagging the devices. This is fine, as long as you have some other way of tracking the devices through their lifecycle. This might be a simple bespoke database, or even a spreadsheet. The key thing is to ensure you make a note of the EMEI, make, model etc of every device that enters the organisation, make a note of which devices are being used and by who, and note in the spreadsheet when devices leave the organisation, whether they are lost or stolen or formally disposed of. You should regularly audit the devices to make sure you know where they all are and ensure the process are working properly.

Now, it can be pretty difficult to know who is using a device from one moment to the next, as they are generally considered business critical and if one fails it will often need to be replaced immediately. However for email enabled devices you will find that there is often a lot of discovered information available from the BES or equivalent, and you can use this to identify who is actually using which device from moment to moment. Remember we can be fairly confident that the discovered elements of the BES or other server are accurate because otherwise the devices would stop working.

However, it is important to note with Blackberries that some information (eg name, telephone no etc) that appears on the BES is not genuinely discovered because it is picked up from manually entered information on the device. The main bits of information you can rely on are SIM number, EMEI number and email addresses – the things that ensure emails reach the right recipient.

Lifecycle Management

Because physical mobile devices are basically small computers, we will find that we need to manage them throughout their entire lifecycle.

When they are first purchased, they should be entered into the a database or spreadsheet, as we discussed above, using the EMEI number to track the individual device.

Generally, the email server will give us a good idea of who is using it, along with other information such as the operating system installed, the make, model etc. This information will also help us make decisions about how to manage the lifecycle, including when and what devices should be upgraded and replaced with newer devices, what operating system upgrades might be required and when etc.

Just as for normal computers, if the device is lost or stolen, that fact needs to be reported to Data Security so they can conduct a risk assessment. Additionally, if an employee leaves the business, we should check whether they have a mobile device and ensure it is returned along with their other IT equipment.

Finally, when the device is disposed of, it should be sent to the same reputable salvager as your other IT equipment, using the same administrative processes to ensure nothing goes missing en route. At the moment, most salvagers shred the devices rather than preparing them for resale. However do ensure that you do your due diligence to be certain that they are indeed disposing of the devices appropriately.

Telephone number

The major risk associated with telephone numbers is the same for large organisations as it is for personal numbers – that a number assigned to you has been recycled, and so you end up with lots of ‘wrong number’ calls. For this reason, and also because it helps employees recognise internal numbers, some companies will request that their telecoms provider set aside a range of phone numbers for corporate use. Often there will be an additional charge involved for this service.

The drawback with this practice is that as you near the end of the range of numbers, you have to go back to the beginning and start recycling numbers within the range that are no longer used.

Why is this a drawback? Because one of the easiest ways to simplify the management of Mobile Devices is to allocate one telephone number to one person for their entire lifespan as a mobile device user. This means that a mobile device can be tracked back to its user through its phone number because there can only ever be a one to one relationship between telephone number and device. It is fine for one user to have two mobile devices, but they will have two telephone numbers against their name.

This reduces the number of independent data elements that need to be tracked, as well as providing a ‘primary key’ which will help when tracking and analysing the data in your database or spreadsheet.

Of course, even with a designated number range you can follow the principle of assigning telephone numbers to one person as much as possible.

So what about the situation when an employee wishes to use their personal number as their business number, or take their business number with them when they leave?

This is essentially a policy decision. As long as sound asset management principles are applied to the transfer of the number, it won’t cause too many problems. However, it is very time-consuming and expensive administratively, and for this reason alone should be discouraged.

Phew! That’s it for tonight, I think….

Next week I’ll go into more detail about how to manage the other elements of mobile devices.

It helps to understand why we care about mobile devices and want to manage them. There are two main categories of risks associated with them.

The first is financial risk – that the people using the mobile devices will make lots of expensive phone calls and waste money, or that the telephony carrier will charge incorrectly and no one will notice because of the complexity of the charging models and the number of transactions that need to be checked.

The second major risk category are data security risks. The most obvious risk is that the device, and the data on it, may get lost or stolen. But another major risk is that an employee will leave, and take and use the data on the device – in particular the contact details. In some industries this could represent a very serious risk to the business if the employee used the details to poach clients, for instance.

So controlling these risks are the things we need to focus on when deciding what and how to manage mobile devices.

So, as I discussed in my last post, there are seven elements of a mobile device we could manage if we wanted to.  These are:

• The physical device
• The telephone number
• SIM cards
• The email address or other data identification model
• The applications
• The contracts with the service provider
• The service provider bills.

We will think about how to manage the pressure to allow personal use on business devices in a different post.

Seven different elements and data sets to manage is a lot, to say the least. The first question to ask is: do we need to manage them all?

There is a wonderful American phrase “is the juice worth the squeeze?” which we should always bear in mind when doing any sort of asset management ie is the benefit involved in managing something worth the effort involved? In the case of of mobile devices, it’s certainly not always the case.

In my next post we’ll look at the costs and benefits of managing the different elements in relation to the risk factors we’ve identified.

PS Sorry I’ve not been posting much lately. I hope you’ve missed me! I’ve been on leave, and have been quite busy at work. I’m also on a Software Asset Management training course next week, so I’ll let you know how it goes.

PPS Wednesday night must be science night on BBC4. There have been two fascinating documentaries this evening, the first on evolution and the second of James Lovelock. The implications of his Gaia theory – that the earth is a giant feedback mechanism that is being overwhelmed by the CO2 we’re pumping into the atmosphere – makes the concerns about the validity of the detail of climate change data that are so loudly being aired in the media seem irrelevant.

These devices are complicated beasties, and have several elements that need to be managed. Management is particularly challenging because for many devices, the elements can all move independently. This post talks about the different elements of mobile devices and how they work, while later posts will discuss techniques to manage them in more detail.

Physical Device

Although the physical devices (mobile phones, blackberries etc) are not that expensive these days, companies do need to keep track of them, particularly those that contain company data. Although blackberries and other smart phones spring to mind, even the customer contact details entered into a mobile phone’s address book is valuable company data and needs to be protected.

Just as with personal mobile contracts, the physical device will often be subsidised for corporates who take out a contract with a mobile provider.

Telephone number

The telephone number tends to follow the person, and so moves from device to device. Telecoms companies also generally keep track of costs using the telephone number so it is important to keep track of whom numbers are assigned to so that costs can be accurately allocated and call details can be validated by the people who actually made them before paying the bill!

SIM Cards

SIM Cards (or their satellite equivalents) are the electronic chips that connect the device to the network. A telephone number is assigned to each SIM, which is how the network knows where to direct a call when someone rings a particular number. The actual chip is very easy to reprogramme and it isn’t particularly important to track it per se, the important thing when managing mobile devices is to be certain that the correct phone number is assigned to the correct SIM. Luckily for us, there is a very effective mechanism to let us know when something has gone wrong – people stop being able to make or receive calls, they complain, and it gets fixed very quickly!

Email or other data address

Smartphones and other devices that send and receive data over networks need to be connected correctly to the server that directs the data flows. For a blackberry, this is the blackberry server, and the device identifies itself to the server using a PIN, so that the blackberry knows which emails and other data it should forward to the device.

Just as with the SIM, the management of the PIN, and thus where emails and data are sent, is fairly straightforward because you will be very quickly informed when the device isn’t working properly!

Applications

This is a very new area which is developing rapidly as a result of the introduction of the iPhone. All mobile devices have an operating system, just as any computer does, but in the past the operating systems have been very locked down and only able to run a restricted number of basic applications (eg an address book, calendar etc). In the last few years, however, mobile device operating systems have become much more powerful and flexible, and now it is possible to connect to the internet and download, either for nothing or for a small fee, sophisticated applications for use on the phone. In a corporate setting, managing applications is going to be a NIGHTMARE, with massive data security and software asset management implications. But we’re very much at the beginning of the road, so rather than say too much, I will instead watch developments with interest!

Contracts

Connectivity services for mobile devices are generally provided through Telecoms operators on a subscription model. In order to ‘tie-in’ customers, the service may be provided for a set period of time, with penalties applying if the contract is cancelled early. Mobile operators will tie the contract to an individual, although sometimes the contract may be transferred to another individual (perhaps for a fee), and sometimes to a different phone number.

Managing contracts can be very difficult because they have very little relation to anything that is required to operate a mobile device on a practical basis. This means that keeping records up to date and accurate can be very difficult because there is no feedback to inform you when records are wrong. Additionally, a lot of costly administration is required to sign, store, renew, cancel, request upgrades etc.

Mobile Device Bills

Ah, the fun stuff… money! For each device, there is usually two charging elements – the subscription fee, generally paid on a monthly basis, and the discretionary costs associated with making phone calls and sending data. Charging structures for the discretionary aspects of the bill can be VERY complicated, particularly if the device has been used outside its home country (‘roaming’).

Because the charges applied vary so dramatically with use, it is important that users be given visibility of the line item detail on their bills (ie every call or email sent, encluding duration, bytes transferred, location etc) so that they can be certain the bill is correct and can take steps to minimise their own usage.

Business vs personal use

It is very common for people to want to use only the one mobile device for both personal and business use. This cuts down on the number of devices they need to carry around, and means they only need to remember one number. The decision as to whether to allow this should be considered very carefully – there can be tax implications if the company does not ensure individuals pay for personal calls (it is a ‘benefit in kind’) as well as data security implications if the person leaves suddenly without returning their device (the contacts in the address book of a mobile phone can be VERY dangerous in the hands of a disgruntled employee) and finally if an employee does leave they may request the number be ported to their new phone, which is, fundamentally, a pain in the neck from an administrative point of view!

So these are the basic elements we need to think about when managing mobile devices in an organisational setting. My next posts will go into more depth about how best to actually manage them!

Picture Credit: Kylie Fowler